I was studying different WAFs, from open-source (such as ModSecurity and NAXSI) to commercial solutions (Imperva, Citrix, Fortinet, etc.). Many people state that having a whitelist-based WAF is far ...

I am trying to establish an application security group within an organization and although there is a plethora of courses for penetration testers, i fail to find an equal amount of training courses ...

A client has asked me to help them out with their WAF processes. Currently they have a few critical web applications being protected by a couple of WAFs. I have managed to get the WAFs tuned and ready ...

What is the best way of testing my Firewall configuration as i have deployed the Core Rule set provided by the OWASP. But my rule configuration was giving me too many false positives which i resolved ...

Web Application Firewalls relies on negative and positive security traffic rules to protect web application from being exploit. My question is that is their any other web traffic modelling technique ...

How practical are anomaly based web application firewall in mitigating web based attacks ? Which types of threats do they mitigate against and which don't they? Are their any practical implementation ...

My team's been doing some research into WAF protections based upon a WAF testing tool released at Black Hat this year. In the tool, there's a list of hostname evasion tests - that are really just an ...

Following are the two Rules taken from ModSecurity CRS core Ruleset. These two rules are base Rules for XSS attacks. If we look at these two rules their variables and actions are same what they differ ...

For Network Layer Firewalls we have different sort of redundancy and consistency checks like rule shadowing, that can impact the performance of firewall. Do similar kind of checks can be applied on ...